Mind the Gap: Understanding Cyber Security Risks as Business Risks

By Prof Awais Rashid (Lancaster University)

The world is experiencing a massive growth in highly connected systems and infrastructures – ranging from smart cities to critical infrastructure such as financial systems, power grids, energy, water and manufacturing systems. While this connectivity opens up a whole new space for innovative products and services, it also increases the attack surface of such systems, making them potentially vulnerable to cyber attacks. As a result cyber security is now a pervasive requirement, one that we cannot and must not ignore.

It is, therefore, important that decision-makers are able to effectively understand and respond to cyber security risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, doing so is far more complex than one may envisage. We lack any effective metrics for articulating cyber risk as business risk. Most metrics for articulating cyber risk tend to be rooted in technical measures. Though technical measures are important at a lower level of abstraction, they often bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.

The problem is compounded by the fact that most metrics are ordinal – there is a propensity to derive a single numerical figure, which often results in masking or losing knowledge that is essential to business risk decision-making. Such tendency to over-simplify also makes it difficult nigh impossible to articulate the risk of second and third order business impacts, that is, across space and time. Furthermore, cyber security risks are not merely a technical issue. They often arise when technologies, people and organisational cultures intersect. Thus we must not only understand the technical factors but also the social and organisational factors shaping such risks and our responses to them.

We are tackling these issues within project MUMBA, funded by the Engineering and Physical Sciences Research Council as part of the Research Institute in Trustworthy Industrial Control Systems. While our focus is on cyber-physical infrastructures, the problem is not limited to such systems. Our modern digital economy relies on these connected systems and infrastructures. And we cannot hope to manage cyber security risks in such an environment effectively unless we tackle the challenges highlighted above.

—

Professor Awais Rashid is Director of the cross-disciplinary Security Lancaster research centre at Lancaster University, UK. He heads the Academic Centre of Excellence in Cyber Security Research at Lancaster, leads a project as part of the UK Research Institute on Trustworthy Industrial Control Systems (RITICS), co-leads the Security and Safety theme within the UK Hub on Cyber Security of Internet of Things (PETRAS) and is a member of the UK Centre for Research and Evidence on Security Threats (CREST).